Number | Title | Impact | Priority | Subject Area |
---|---|---|---|---|
PE-3 | Physical Access Control | LOW | P1 | Physical And Environmental Protection |
Instructions |
---|
The organization: PE-3a. Enforces physical access authorizations at Assignment: organization-defined entry/exit points to the facility where the information system resides by; PE-3a.1. Verifying individual access authorizations before granting access to the facility; and PE-3a.2. Controlling ingress/egress to the facility using Selection (one or more): Assignment: organization-defined physical access control systems/devices; guards; PE-3b. Maintains physical access audit logs for Assignment: organization-defined entry/exit points; PE-3c. Provides Assignment: organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible; PE-3d. Escorts visitors and monitors visitor activity Assignment: organization-defined circumstances requiring visitor escorts and monitoring; PE-3e. Secures keys, combinations, and other physical access devices; PE-3f. Inventories Assignment: organization-defined physical access devices every Assignment: organization-defined frequency; and PE-3g. Changes combinations and keys Assignment: organization-defined frequency and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
Guidance |
---|
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. |
Enhancements | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at Assignment: organization-defined physical spaces containing one or more components of the information system.
The organization performs security checks Assignment: organization-defined frequency at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
The organization uses lockable physical casings to protect Assignment: organization-defined information system components from unauthorized physical access.
The organization employs Assignment: organization-defined security safeguards to Selection (one or more): detect; prevent physical tampering or alteration of Assignment: organization-defined hardware components within the information system.
The organization employs a penetration testing process that includes Assignment: organization-defined frequency, unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. |